Bluepurple Pulse: week ending April 9th
Bluepurple Pulse: week ending April 9th
🥚🐰
Welcome to the weekly highlights and analysis of the blueteamsec subreddit (and my wider reading). Not everything makes it in, but the best bits do.
Operationally this week the usual tempo continues with nothing overly standout which says something of our time given the level of reporting and output in the below.
In the high-level this week:
Criminal Marketplace Disrupted in International Cyber Operation - Since its inception in March 2018, Genesis Market has offered access to data stolen from over 1.5 million compromised computers around the world containing over 80 million account access credentials - the scale of the compromise is as impressive as the scale of law enforcement response.
A year of United Nations cybercrime negotiations - Consensus will be difficult, as will be concluding the negotiations by the deadline. Tough decisions are ahead as the new cybercrime treaty aspires for universal adoption - probably the understatement of our time when you consider we have certain national actors involved who aren’t always sincere and engage in blunting activities.
the UK’s National Cyber Security Center has released its updated board toolkit for executives - I made a small contribution as this was delivered with support from their Industry 100 program.
Commercial spyware / Counter cyber proliferation
EU Prosecutor probes Greek ‘Predatorgate’ - The European Public Prosecutor’s Office (EPPO) has launched an investigation into the use of illegal Predator spyware in a wiretapping scandal that has shaken Greek politics
Estonian National Charged with Helping Russian Military Acquire U.S. Electronics, Including Radar Components; Sought-Computer Hacking Software - “one of Shevlyakov’s front companies exchanged messages with a Russia-based individual about acquiring a licensed copy of Metasploit Pro”
Stopping cybercriminals from abusing security tools - "[we] are taking technical and legal action to disrupt cracked, legacy copies of Cobalt Strike and abused Microsoft software, which have been used by cybercriminals to distribute malware, including ransomware. "
Cyber Insurance
Lloyd’s of London exposes divisions over booming cyber insurance market - a follow up article provided some clarity on the situation “Despite the negative press that Lloyds of London got for some of the exclusions they’ve come up with, the vast majority of insurers are adopting variants where the intention is to only exclude nation-state attacks that form part of an armed conflict or impact the underlying functioning of a state,”
Insurance as Crime Governance: Comparing Kidnap for Ransom and Ransomware - “through taking a broader ‘governance system’ view, it became clearer which deficits cyber insurance should address as a priority in tackling the ransomware boom. The cyber insurance market must prioritise discovering and disseminating best practice standards for preventing, containing and resolving cybercrime that serve both the market and the public interest, and creating institutions to enforce these broadly (perhaps with the aid of governments)”
UK’s National Cyber Force came out of the shadows and had various articles published on it:
National Threat & Resilience
The cyber threat against Greenland - “The threat of destructive cyber attacks against Greenland is LOW”
Chatham House published their report from London conference on strengthening cyber resilience held in November ‘22 - “The conference’s aim was to share experiences and knowledge about how international cybersecurity capacity-building can support national sustainable development and cybersecurity outcomes.”
Better secured government internet routing before the end of 2024 - mandated Resource Public Key Infrastructure ( RPKI ) - a technique that aims to prevent certain route leaks and hijacks in the Netherlands.
Policy & Strategy
The Chinese Conception of Cybersecurity: A Conceptual, Institutional and Regulatory Genealogy - A greater understanding of China’s conception of cybersecurity opens avenues for scholarly inquiry and policy implications. First and foremost, as a key component of China’s vision of Internet governance, it will have a significant role to play as the current structures of Internet governance come under increasing pressure. This pressure not just comes from China itself, but from a range of countries in the global South that at least partly share its anti-hegemonic instincts and its rejection of US dominance.
Policy Paper: The National Cyber Strategy & Florida - I love that US States are now translating national policy into regional impact. Likely some lessons here for others with similar devolved national structures.
National Strategy To Advance Privacy-Preserving Data Sharing And Analytics - This National Strategy to Advance Privacy-Preserving Data Sharing and Analytics (Strategy) lays out a path to advance PPDSA technologies to maximize their benefits in an equitable manner, promote trust, and mitigate risks. This Strategy takes great care to incorporate socioeconomic and technological contexts that are vital to responsible use of PPDSA technologies, including their impact on equity, fairness, and bias—and how they might introduce privacy harms, especially to disadvantaged groups.
Enforcement of Cybersecurity Regulations: Part 2 - The tools available to regulators are not only legal action, but education, advice, persuasion, and negotiation. Enforcement is serial and incremental. Full compliance is short lived.
Live streaming by videoconference of classes in state school education falls within the scope of the GDPR - ruling in Germany on this.
Breaches
Lumen confirm two cyber incidents in SEC filing - including a latent breach that was found due to upgrade in detection and response capabilities - some great ROI there.
Western Digital Provides Information on Network Security Incident - "unauthorized party obtained certain data from its systems and is working to understand the nature and scope of that data" - given the lack of detail how do we regain assurance over their critical supply chain role in storage?
The reflections this week are built on an observation around World Economic Forum’s (really Deloitte’s) piece titled Why it's time to get your board to take the quantum threat seriously and the Netherland’s AIVD which published their post quantum crypt migration handbook this week. The observation is that NIST isn’t due to publish the standardization documents for post quantum crypt till 2024 - so unless you are a government dealing with secrets which need to be kept for 50+ years you can likely wait till they do before you deploy.
On the interesting job/role front:
Technical Specialists (including Cyber) at the UK’s Defence Science and Technology Laboratory
Threat Intelligence Analyst, Operational Technology at Google (remote)
Senior Cyber Threat Intelligence Analyst at the London Stock Exchange Group
Cyber Incident Response Manager in the UK at ARM
Cyber Policy & Strategy Masters (MA) at Kings’s College London
Enjoying this? don’t get via e-mail? Subscribe:
Think someone else would benefit? Share:
Have a lovely Friday
Ollie
Cyber threat intelligence
Who is doing what to whom and how.
Russia / Ukraine
Substantial reporting on Russia / Ukraine this week.
IT Army of Ukraine: Analysis of Threat Actors In The Ukraine-Russia War
Firstly, you should all be very proud of me as I found out how to link to this vendors PDFs directly and thus I’m able to copy and paste from them.
Secondly, this is a report which gives a sense of scale.
IT Army Of Ukraine has targeted almost all sectors in the last year. In total, it has carried out DDoS attacks by sharing over 9,100 individual IP addresses and URLs on the Telegram channel.
They are not just DDoS.
February 15, 2023 They gained access to the corporate network of PayTrans, an IT company that serves the payments of Moscow's normal and medium-capacity metro. It leaked source code for online payment mobile apps, application server for wire transfers, ORA2 and ORA1 for payment transactions, CCTV data.
Meet the FSB contractor: 0Day Technologies
This is what happens when your cyber supply base is gone after by someone aligned to your adversaries.
0DT’s surveillance work was mostly on SORM, the Russian government’s main surveillance technology. The company developed a suite of tools from deep packet inspection (DPI) to analysis, including social graphs for identifying dissidents and lawful intercept of social media and messaging apps.
https://clement-briens.com/2023/04/01/meet-the-fsb-contractor-0day-technologies/
Joker DPR and the Information War
A Russian aligned non state actor detailed here to a glorious level.
To date, Joker DPR’s most significant claim has been an alleged breach of DELTA, a battlefield management system (BMS) that has proven effective for Ukraine’s national defense. Joker DPR’s alleged breach was unlikely to have been as wide-reaching as the threat group claimed. Nevertheless, it is part of a growing body of evidence that suggests Joker DPR is deliberately supporting Russia’s information war in Ukraine.
An interesting assertion in the reporting.
Joker DPR has built a sizable following on its Telegram channel. As its audience and infrastructure grows, it may gain the increased ability to undermine Ukraine’s war effort.
Quantification around that undermining
https://www.recordedfuture.com/joker-dpr-and-the-information-war
VulkanFiles leak
These files have been covered by various news sites and they were covered here last week. Subsequent reporting and actual release of a subset of the data has occurred this week.
Analysis of the VulkanFiles leak
This technical analysis of their capabilites is based on access provided via Le Monde in France.
Exfiltrated Russian-written documents provide insights into cyber offensive tool projects contracted by Vulkan private firm for the Russian Ministry of Defense.
Scan-AS is a database used to map adversary networks in parallel or prior to cyber operations. Scan-AS is a subsystem of a wider management system used to conduct, manage and capitalize results of cyber operations.
Amezit is an information system aimed at managing the information flow on a limited geographical area. It allows communications interception, analysis and modification, and can create wide information campaigns through social media, email, altered websites or phone networks.
https://blog.sekoia.io/sekoia-io-analysis-of-the-vulkanfiles-leak/
Actual files
Then we had a subset of the files released into open source.
https://www.documentcloud.org/app?q=%2Borganization%3Apaper-trail-media-40926
KillNet’s Targeting of the Health and Public Health Sector (December 2022 – March 2023)
From the US Health Sector Cybersecurity Coordination Center.
In the late January 2023 attack, over 90 known orchestrated DDoS attacks took place on healthcare systems (covering multiple hospitals), lone hospitals, and medical centers. Of these, 55% were healthcare systems with at least one hospital and lone hospitals with Level I trauma centers, which provide the most comprehensive and highest level of trauma care to critically ill or injured patients.
https://www.hhs.gov/sites/default/files/202304051200-killnet-analyst-note-tlpwhite.pdf
Twin-Tailed Scorpion / Mantis
Two bits of reporting on this Hamas suspected threat actor.
Analysis of the latest attack activities of the APT-C-23 (Twin-Tailed Scorpion) organization
The first comes from China, the tradecraft covered here is the repackaging of legitimate software to also include malicious payloads and then using phishing websites to convince users to deploy.
[We] discovered the latest Hamas attack again. The samples used in this attack belong to the same family as the samples disclosed by the Israel Defense Forces. The attack began in June 2022 and is still active today . . Different from the past , the attack samples used in this attack use repackaging technology to package malicious applications as subpackages into legitimate applications
..
After the malicious subpackage runs, it uses the MQTT protocol to connect to the server
Mantis: New Tooling Used in Attacks Against Palestinian Targets
The second is English and covers some of their Windows focused tradecraft. For a fundamentalist group in an unstable region the fact they have developed tradecraft akin to a basic commercial team is likely of note.
The first evidence of malicious activity occurred on December 18, 2022. Three distinct sets of obfuscated PowerShell commands were executed to load a Base64-encoded string, which started embedded shellcode. The shellcode was a 32-bit stager that downloaded another stage using basic TCP-based protocol from a command-and-control (C&C) server.
https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/mantis-palestinian-attacks
North Korea
North Korea reporting varies this week.
3CX
Based on reporting this week this operation is largely suspected to have focused on crypto currency asset theft.
Not just an infostealer: Gopuram backdoor deployed through 3CX supply chain attack
Georgy Kucherin provides insights to the later stages of the 3CX breach chain through their endpoint telemtary.
The decrypted payload extracts C2 server URLs from icons stored in a GitHub repository (the repository is removed).
The payload connects to one of the C2 servers, downloads an infostealer and starts it.
The infostealer collects system information and browser history, then sends it to the C2 server.
On one of the machines, we observed a DLL named guard64.dll, which was loaded into the infected 3CXDesktopApp.exe process. Interestingly enough, we opened an investigation into a case linked to that DLL on March 21, about a week before the supply chain attack was discovered. A DLL with that name was used in recent deployments of a backdoor that we dubbed “Gopuram” and had been tracking internally since 2020. Three years ago, we were investigating an infection of a cryptocurrency company located in Southeast Asia. During the investigation, we found that Gopuram coexisted on victim machines with AppleJeus, a backdoor attributed to the Korean-speaking threat actor Lazarus.
https://securelist.com/gopuram-backdoor-deployed-through-3cx-supply-chain-attack/109344/
3CX DesktopApp supply chain attack confirmed in Korea
I include this South Korean reporting for completeness, the primary value is the regional confirmation of activity.
Considering that “icon10.ico” and “icon11.ico” are identical except for the “icon0.ico” file that contains the normal URL, there are 14 C&C server addresses out of 16 ico files. The downloader can connect to the decrypted address, download and execute additional malware, and is known to have installed InfoStealer
How we’re protecting users from government-backed attacks from North Korea
A overview from a hyperscaler on the Hermit Kingdom’s activities. The most notable is the evolution of their phishing tradecraft as seen below.
One example of ARCHIPELAGO’s shifting phishing techniques is a campaign in late 2022 where they sent links to a benign PDF file hosted in OneDrive. The PDF claimed to be a message from the State Department Federal Credit Union notifying customers they detected malicious logins from their Google Account and that the customer should click the link in the PDF to verify activity from their Gmail account. If clicked, the link directed recipients to a phishing page. ARCHIPELAGO created unique PDFs for each recipient so that when the recipient clicked, the phishing page was pre-populated with the recipient’s email address.
By placing the phishing link inside a benign PDF hosted on a legitimate cloud hosting service, ARCHIPELAGO was likely trying to evade detection by AV services that do not scan links inside files.
Initech Product (INISAFE CrossWEB) Security Update Advisory
Banking software mandated to many South Koreans has become a target by North Korea. Interestingly the first attacks were detected almost a year ago in April, 2022. Not a great look in terms of vendor response.
A security update to address the vulnerability of Initech's INISAFE CrossWeb EX V3 program has been announced. It is an electronic financial and public sector financial security certification software used for Internet banking.
North Korean hacking group 'KIMSUKY' - UN North Korea Sanctions Committee impersonation attack (2023.04)
South Korean reporting on a North Korean campaign using files for their regional equivalent of Microsoft Office called Hangul Office. This tradecraft is not new and is rather clumsy otherwise.
Phishing Attack Activities: Threat Actors in Sheep’s Clothing (KOR)
A broad analysis of North Korean phishing activity in this summary. For context SectorA05 is Lazarus.
[We classify] the SectorA groups into a total of 7 sub-hacking groups, and the phishing attack activities of the SectorA groups that occurred in 2022 identified the activities of the SectorA02 and SectorA05 groups.
Moqhao masters new tricks
SMS Phishing to deploy malware behind SOHO routers which is then used to attack said routers and perform DNS hijacking. The novelty is they have their own captcha solving service on the Internet in order to achieve their objectives on some routers.
When Moqhao identifies a vulnerable model, it crawls the router’s web-admin pages searching for specific patterns. These patterns are based on hardcoded strings embedded in Moqhao’s configuration to extract login forms and images from the CAPTCHA challenges. If such predefined patterns are matched, Moqhao uses a list of default usernames and password
Moqhao’s OCR service is currently exposed to anyone on the Internet and is not protected by any form of authentication. As of February 2023, this service could be further employed by other criminals as a free CAPTCHA-bypass mechanism. At the time of our analysis, access to one of the vulnerable router models was not available.
https://www.telekom.com/en/blog/group/article/moqhao-masters-new-tricks-1031484
Balada Injector: Synopsis of a Massive Ongoing WordPress Malware Campaign
This is a massive campaign just used to redirect site traffic to scam sites. This is what at scale low level cyber criminal enterprise looks like in 2023.
In 2022 alone, [we] detected this malware over 141,000 times, with more than 67% of websites with blocklisted resources loading scripts from known Balada Injector domains.
Technical analysis of the Genesis Market malware and tooling
This company was shared data from seized Genesis infrastructure by law enforcement. Their tradecraft is interesting including this little snippet. Anyway this is clear they understood how it all worked and developed refined offensive tradecraft in response to stay under the victims and the financial institutions radar as long as possible.
One of the things the extensions monitors for is emails you might receive from various crypto exchanges. If so, it rewrites the email, to make them look less suspicious. For example, changing an email about a withdrawal into an email about a new sign-in.
They have support for Gmail, Hotmail/Outlook and Yahoo and seem to monitor emails from Binance, Bybit, Huobi, Okx, Kraken, KuCoin and Bittrex.
Another interesting feature of the malicious browser extension is the ability to proxy HTTP requests through the victim’s browser.
https://sector7.computest.nl/post/2023-04-technical-analysis-genesis-market/
GoatRAT Attacks Automated Payment Systems
Lathashree K details an Android implant which targets users in Brazil which use the PIX key system. Again shows that threat actors will evolve their tradecraft to collect second factors as needed.
GoatRAT banking trojan is an Android Remote Administration Tool to gain access and control targeted devices which carries out fraudulent money transactions using PIX key.
https://labs.k7computing.com/index.php/goatrat-attacks-automated-payment-systems/
Rorschach – A New Sophisticated and Fast Ransomware
Jiri Vinopal, Dennis Yarizadeh and Gil Gekker detail a new actor who has run onto the ransomware playing field. More likely someone who has learnt their trade elsewhere and gone into business for themselves. Initial access means is currently unknown, note the use of legitimate endpoint security tooling to their their malicious binary side loading.
Rorschach ransomware appears to be unique, sharing no overlaps that could easily attribute it to any known ransomware strain. In addition, it does not bear any kind of branding which is a common practice among ransomware groups.
The ransomware is partly autonomous, carrying out tasks that are usually manually performed during enterprise-wide ransomware deployment, such as creating a domain group policy (GPO). In the past, similar functionality was linked to LockBit 2.0.
The ransomware is highly customizable and contains technically unique features, such as the use of direct syscalls, rarely observed in ransomware. Moreover, due to different implementation methods, Rorschach is one of the fastest ransomware observed, by the speed of encryption.
The ransomware was deployed using DLL side-loading of a Cortex XDR Dump Service Tool, a signed commercial security product, a loading method which is not commonly used to load ransomware. The vulnerability was properly reported to Palo Alto Networks.
https://research.checkpoint.com/2023/rorschach-a-new-sophisticated-and-fast-ransomware/
The old way: BabLock, new ransomware quietly cruising around Europe, Middle East, and Asia
Andrey Zhdanov and Vladislav Azersky provide further reporting on the same threat actor including insight into some of their initial access tradecraft.
The absence of DLS, along with relatively modest ransom requests ranging from 50,000 to 1,000,000 USD, allows the group to operate stealthily and remain under the radar of cybersecurity researchers. The strain has been active since at least June 2022, when its earliest known version for ESXi was released. Interestingly, all BabLock ransomware modules for Windows that [we] found were compiled in 2021, according to timestamps.
To gain initial access to the victim’s infrastructure, the attackers used a remote code execution (RCE) vulnerability in the email software Zimbra Collaboration (ZCS) 8.8.15 and 9.0, namely CVE-2022-41352 that enables a threat actor to remotely execute arbitrary code.
https://www.group-ib.com/blog/bablock-ransomware/
IcedID
Malicious ISO File Leads to Domain Wide Ransomware
Our friends at DFIR report detail a historic campaign from September 2022 once again showing the value of honeypot derived intelligence.
On the start of the fourth day, the threat actors continued to repeat their previous discovery and beacon spreading activity. Near the end of the day, the threat actors moved to install AnyDesk on several servers including a backup management host, likely as a further means of persistence or later command and control. Next, the threat actor executed PowerShell to pop up an alert message on several hosts, letting the user know that the machine was infected with Cobalt Strike.
https://thedfirreport.com/2023/04/03/malicious-iso-file-leads-to-domain-wide-ransomware/
The many faces of the IcedID attack kill chain
More up to date reporting on the same criminal actor. This reporting gives a sense of their various bits of initial access tradecraft.
[We] noticed some very interesting and seemingly overlapping IcedID campaigns over the past couple of months. IcedID is a modular trojan that made its appearance in 2017, and since then it’s proven itself to be one the most notorious pieces of malware. In this blog we will briefly touch on the different IcedID campaigns we have been tracking including:
Malicious OneNote campaign
.url files using webdav protocol campaign
Thumbcache viewer campaign
HTML smuggling campaigns
https://www.menlosecurity.com/blog/the-many-faces-of-the-icedid-attack-kill-chain/
Dissecting IcedID behavior on an infected endpoint
This reporting gives slightly different insight into their end-to-end tradecraft.
[We] observed a recent malspam campaign where IcedID was delivered via an archived zip file containing a Visual Basic script.
Upon execution of a malicious JavaScript associated with the IcedID infection, it calls the command interpreter to execute a base64 encoded Windows PowerShell. The PowerShell then communicates outbound to an IcedID redirect domain, followed by a download of a malicious DLL file. Next, the PowerShell executes the downloaded DLL using the Rundll process. And finally, the DLL is launches a Command and Control (C2) client that generates traffic with IcedID C2 server.
https://blogs.opentext.com/dissecting-icedid-behavior-on-an-infected-endpoint/
Telegram phishing bots and channels: how it works
Olga Svistunova details how criminals have followed the private sectors focus on customer experience through direct engagement. It is almost has if these criminals have has training in customer success and product led growth strategies.
The service is especially popular with phishers. They have become adept at using Telegram both for automating their activities and for providing various services — from selling phishing kits to helping with setting up custom phishing campaigns — to all willing to pay.
To promote their “goods”, phishers create Telegram channels through which they educate their audience about phishing and entertain subscribers with polls like, “What type of personal data do you prefer?”. Links to the channels are spread via YouTube, GitHub and phishing kits they make.
https://securelist.com/telegram-phishing-services/109383/
Rilide: A New Malicious Browser Extension for Stealing Cryptocurrencies
Pawel Knapczyk and Wojciech Cieslak detail how a criminal actor is executing their crypto currency thefts via Google Chromes extensions. Note the use of malicious adverts in the chain.
Password-Protected OneNote Files to Spread Malware
Noting the subtle change in tradecraft here by one actor to frustrate inline malicious code detection.
https://perception-point.io/blog/hackers-use-password-protected-onenote-files-to-spread-malware/
Inside the Halls of a Cybercrime Business - Size Matters: Unraveling the Structure of Modern Cybercrime Organizations
David Sancho and Mayra Rosario Fuentes provide some estimated statistics that will cited as concrete evidence without their caveats no doubt in various forums.
In this paper, we show estimates for the quarterly financial reports for typical criminal groups under small, medium, and large enterprise categories. These were not taken from real criminal organizations, as precise figures are naturally not disclosed, but are instead based on our observations and estimations. It’s worth pointing out that by merely looking at these financial reports, one cannot prove any correlation between a group’s output and its level of sophistication.
The Rise of FusionCore An Emerging Cybercrime Group from Europe
This is what a 10 month old criminal start-up looks like.
[We] identified a new up-and-coming European threat actor group known as FusionCore. Running Malware-as-a-service, along with the hacker-for- hire operation, they have a wide variety of tools and services that are being offered on their website, making it a one-stop-shop for threat actors looking to purchase cost- effective yet customizable malware. The operators have started a ransomware affiliate program that equips the attackers with the ransomware and affiliate software to manage victims. FusionCore typically provides sellers with a detailed set of instructions for any service or product being sold, enabling individuals with minimal experience to carry out complex attacks.
https://www.cyfirma.com/outofband/the-rise-of-fusioncore-an-emerging-cybercrime-group-from-europe/
Discovery
How we find and understand the latent compromises within our environments.
Unlimited Advanced Hunting for Microsoft 365 Defender with Azure Data Explorer
Koos Goossens provides a neat trick to save some cash in the Microsoft eco-system to give you some long term data sets.
More and more customers ask me what the options are to extend the retention in Microsoft 365 Defender beyond the default 30 days.
In this article I'd like to demonstrate how you can leverage Azure Data Explorer (ADX) to archive data from Microsoft 356 Defender without having to make use of Microsoft Sentinel in between. Because relaying this data through Sentinel is not preferred by most, due to the added costs that come along with it.
Fuzzy hashing logs to find malicious activity
Steve Versteeg details a technique which I suspect could be used to also aid vulnerability discovery in web apps through similar log file analysis.
While there are a variety of fuzzy hash algorithms, most focus on identifying similarities across different files. Microsoft Incident Response has developed a new fuzzy hash algorithm, called "JsonHash" which is specifically designed for comparing semi-structured data, such as log entries.
In this blog we will explain how a JsonHash is calculated, then show some practical examples of how it can be used. We implemented JsonHash using the python plugin for Azure Data Explorer and used it to search for web shell activity in IIS logs. Logs corresponding to the web shell activity had similar JsonHash values, demonstrating how JsonHash can be used to find related groups of malicious activity.
Realtime monitor for Microsoft-Windows-Winsock-NameResolution
Grzegorz Tworek provides some code to get real time DNS resolution out of ETW. There are a multitude of pre and post use cases for this capability.
https://github.com/gtworek/PSBits/tree/master/ETW
Defence
How we proactively defend our environments.
DevOps threat matrix
https://www.microsoft.com/en-us/security/blog/2023/04/06/devops-threat-matrix/
Logging strategies for security incident response from AWS
Anna McAbee, Ciarán Carragher, and Pratima Singh provide the best practices according to AWS.
In this blog post, we will show you how to achieve an effective strategy for logging for security incident response. We will share logging options across the typical cloud application stack, log analysis options, and sample queries.
https://aws.amazon.com/blogs/security/logging-strategies-for-security-incident-response/
Letting users block injected third-party DLLs in Firefox
Greg Stoll details a feature for which there will be security use cases.
With Firefox 110, users can block third-party DLLs from being loaded into Firefox. This can be done on the about:third-party page, which already lists all loaded third-party modules. The about:third-party page also shows which third-party DLLs have been involved in previous Firefox crashes; along with the name of the publisher of the DLL, hopefully this will let users make an informed decision about whether or not to block a DLL.
https://hacks.mozilla.org/2023/03/letting-users-block-injected-third-party-dlls-in-firefox/
Blocked attachments in Outlook
Take this list and then run this Batch file I wrote - the delta is your attach surface via email.
Framework for understanding intention-unbreakable malware
Academic work from China. A window into a possible future.
The anti-analysis technology of malware has always been the focus in the cyberspace security field. As malware analysis techniques evolve, malware writers continually employ sophisticated anti-reverse engineering techniques to defeat and evade state-of-the-art analyzers. Therefore, to prepare for unknown attacks, studying malware analysis techniques is insufficient. More importantly, we should study new antianalysis techniques for malware. This paper expands the concept of anti-analysis malware and defines a type of intention-unbreakable malware (IUM).
In this paper, we present a new type of malware threat, IUM. Compared to current malware, IUM is much harder to be detected, and even if it is detected as malicious by advanced detection tools, it will not expose the hidden attack intention, so that a class of malware with the same attack intention cannot be completely detected.
http://scis.scichina.com/en/2023/142104.pdf
Vulnerability
Our attack surface.
Use ZoomEye to find Jupyter servers without identity verification enabled
Chinese Shodan used to find data analysis servers without authentication.
We used the following keywords to search on ZoomEye, and found the Jupyter Notebook server IP address and port that can be directly viewed and used without authentication, with a total of 1180 results.
title:"Home Page - Select or create a notebook"
https://paper.seebug.org/2058/
Protected users (on Windows): you thought you were safe uh?
Aaurelien Chalot gives a lesson on when protected users may not be as protected as first thought.
In this blogpost I’ll explain what the Protected Users group is, why it is a nice security feature and yet why it is incomplete for the Administrator (RID500) user.
Restriction of the Protected Users group is not complete when it comes to the RID500 user of the Active Directory domain. We cannot connect using the NTLM authentication protocol but we can connect using the Kerberos authentication protocol with RC4.
https://sensepost.com/blog/2023/protected-users-you-thought-you-were-safe-uh/
Offense
Attack capability, techniques and trade-craft.
LOLDrivers - Living Off The Land Drivers
Bring Your Own Vulnerable Drivers was a thing. This is the next generation by Michael Haag.
Today, we are excited to announce the release of the Living Off The Land Drivers project. This project aims to consolidate as many vulnerable and malicious drivers as possible into a single location, making it accessible for everyone to find and learn from. This invaluable resource empowers organizations to better understand and mitigate driver-related security risks.
https://haggis-m.medium.com/living-off-the-land-drivers-a5d74d45e77a
LOOBins: Living Off the Orchard: macOS Binaries and Scripts
Brendan Chamberlain brings a Living Off The Land catalogue to macOS, hold on everyone.
Living Off the Orchard: macOS Binaries (LOOBins) is designed to provide detailed information on various built-in macOS binaries and how they can be used by threat actors for malicious purposes.
https://github.com/infosecB/LOOBins
Microsoft Direct Send - Phishing Abuse Primitive
I know of at least one Red Team who may of used this technique in years gone by..
This vector abuses Microsoft Direct Send service in order to propagate phishing emails from an external sender to an internal user, whilst spoofing the properties of a valid internal user. This “feature” has existed since before 2016. However, threat intelligence available to us has only observed it being abused recently.
https://www.jumpsec.com/guides/microsoft-direct-send-phishing-abuse-primitive/
Lateral movement tool development: wmiexec-Pro
A Chinese lateral moment tool, it was noted on the subreddit that some endpoints detect this out of the box.
SharpC2: HTTPS with Redirector
Daniel Duggen shows how to build a more resilient C2 infrastructure.
This post will demonstrate how to use the HTTPS handler in SharpC2 with an Apache redirector. I’ll be running SharpC2 inside WSL on my physical host and an EC2 instance as my redirector. The traffic will be proxied from Apache to SharpC2 over a reverse SSH tunnel.
https://rastamouse.me/sharpc2-https-with-redirector/
Windows Defender Exclusion Persistence with Registry.pol
Mark Mo shares some tradecraft which you can see being used by ransomware crews.
Microsoft is aware of this issue and future tamper protections will be implemented in the future. In the mean time. Watch for exclusions in the registry (Paths, Processes, IP, etc)
https://medium.com/@markmotig/windows-defender-exclusion-persistence-with-registry-pol-666acef2bb9
IDLE-Abuse: A method to execute shellcode using RegisterWaitForInputIdle API
Does what it says on the tin.
https://rixed-labs.medium.com/shellcode-execution-using-registerwaitforinputidle-291c82d2d3fd
https://github.com/RixedLabs/IDLE-Abuse
PhoenixC2 - A C2 Framework for Red Teams
Luca Hennemann drops a new C2 framework, get those infrastructure fingerprints ready..
PhoenixC2 is not a replacement for other C2 Frameworks, it is just another tool for Red Teams. I tried to make PhoenixC2 as easy to use as possible, but it is still in development and there are still many features and bug fixes missing.
https://screamz2k.github.io/posts/phoenixc2-first-release/
rogue: A barebones template of 'rogue' aka a simple recon and agent deployment
Austin Hudson drops a capability which works over ICMP.
https://github.com/realoriginal/rogue
Exploitation
What is being exploited.
Proxyjacking has Entered the Chat
Reporting by Crystal Morin on how criminals get some of their proxy IP supply.
a new attack, dubbed proxyjacking, that leveraged the Log4j vulnerability for initial access. The attacker then sold the victim’s IP addresses to proxyware services for profit
https://sysdig.com/blog/proxyjacking-attackers-log4j-exploited/
Active Exploitation of High-Severity Vulnerability in Elementor Pro
From the Singaporean government.
There are reports of active exploitation of a high-severity vulnerability in Elementor Pro to redirect visitors to malicious domains, or upload backdoors to the compromised site. Elementor Pro is a WordPress page builder plugin that also features a WooCommerce builder for online shops.
https://www.csa.gov.sg/alerts-advisories/alerts/2023/al-2023-041
Moobot Strikes Again - Targeting Cacti And RealTek Vulnerabilities
Cara Lin details two vulnerabilities to distribute various bots. These are old vulnerabilities and in the case the systems are embedded devices.
[We] observed several attacking bursts targeting Cacti and Realtek vulnerabilities in January and March of this year and then spreading ShellBot and Moobot malware.
CVE-2021-35394 is an arbitrary command injection vulnerability that affects UDPServer due to insufficient legality detection on commands received from clients.
CVE-2022-46169 is a command injection vulnerability that allows an unauthenticated user to execute arbitrary code on a server running Cacti.
Tooling and Techniques
Low level tooling and techniques for attack and defence researchers…
Bropper: An automatic Blind ROP exploitation tool
I missed this when it first came out a few months back. This is a window into the future of exploitation.
Flow of exploitation
Find buffer overflow offset
Find canary
Find saved registers (RBP / RIP)
Find stop gadgets
Find brop gadgets
Find a Write function (write / dprintf / puts / ...)
Leak the binary
https://github.com/Hakumarachi/Bropper
Fujisaki: An ongoing (fast prototyping) project
Chinese information operation R&D basis right here..
to create your own doppelgänger based on your Twitter archive and LoRA+Alpaca - The project is currently based on ChatGLM+LoRa and is currently working on generating Chinese content
https://github.com/ljsabc/Fujisaki
Locating kernel32!BaseThreadInitThunk in NTDLL
Odzhan drops this which will have various uses.
Some applications like Mozilla Firefox and Microsoft Edge will replace this with their own function for hooking purposes.
The following code shows how to find it without using debugging symbols.
gist.github.com/odzhan/fe278c2588e462edf3a9fd61f3c51d93
Footnotes
Some other small (and not so small) bits and bobs which might be of interest.
2022 Website Threat Research Report - data revealed that a large majority of compromised environments were affected by malicious PHP scripts, .htaccess malware, and remote code execution backdoors. 69.63% of compromised websites were found to have at least one backdoor at point of remediation
Monthly malware digest - In this report, we highlight malware trends utilizing data from abuse.ch’s open platforms. These collect, track and share resources relating to malware campaigns, including the URLs of malware distribution sites, malware samples, and indicators of compromise.
Commonwealth Cybercrime Journal: Volume 1, issue 1 - This first issue of the CCJ examines contemporary issues and topics such as the use of artificial intelligence (AI) in judicial decision-making in criminal matters; co-dependency between cybercrime and organised crime; data privacy concerns in relation to bring-your-own-device (BYOD) working practices; a comparative review of national cybercrime laws; regional cyber-criminogenic theory; cybercrime reporting; and cyber diplomacy co-operation on cybercrime.
SubSeven: SubSeven Legacy Official Source Code Repository - for those of a certain vintage
The digital harms of smart home devices: A systematic literature review
A Conversation on Cybersecurity with NSA’s Rob Joyce - on April 11th
This newsletter is produced by BinaryFirefly, it is via BinaryFirefly I support a hand picked set of organisations across investment, strategy and capability in the domain of cyber.
For sponsorship enquiries regarding Bluepurple or anything else contact hello@binaryfirefly.com.
